DNS ipchains named operation not permitted
James Raftery
james-bind-users at now.ie
Wed Oct 24 16:25:02 UTC 2001
On Wed, Oct 24, 2001 at 06:32:21AM -0700, keith wrote:
> I have a firewall which I am workin on a RedHat 6.2 box.
>
> ipchains -A output -i $EXT_NET -p udp -s $IPADDR $UNPRIV_PORTS -d
> $EXT_NET 53 -j ACCEPT
> ipchains -A input -i $EXT_NET -p udp -s $EXT_NET 53 -s $IPADDR
> $UNPRIV_PORTS -j ACCEPT
> ipchains -A output -i $EXT_NET -p tcp -s $IPADDR $UNPRIV_PORTS -d
> $EXT_NET 53 -j ACCEPT
> ipchains -A input -i $EXT_NET -p tcp -s $EXT_NET 53 -s $IPADDR
> $UNPRIV_PORTS -j ACCEPT
What is ``$EXT_NET''? You have it as an interface name and a
destination address/net. Argh! Don't mangle information -- it's just
confusing.
You output chain should allow:
source_addr: your_IP_address, source_port: >= 1024
dest_addr: any, dest_port: 53
for both UDP and TCP.
You input chain should allow:
source_addr: any, source_port: 53
dest_addr: your_IP_address, dest_port: >= 1024
for both UDP and TCP.
> Do you guys know what I can do to debug this.
Add, as the very last entries for your input and output chains:
-A input --log
-A output --log
which will log any packets not handled by any other chains -- i.e. the
dropped packets. Then you can see exactly what ipfw dropped and debug
your rules accordingly.
jm
--
James Raftery (JBR54)
"It's somewhere in the Red Hat district" -- A network engineer's
freudian slip when talking about Amsterdam's nightlife at RIPE 38.
_____________________________________________________________________
This message has been checked for all known viruses by the
MessageLabs Virus Scanning Service. For further information visit
http://www.messagelabs.com/stats.asp
More information about the bind-users
mailing list